It’s Time for IoT Security’s Next Big Step

The Internet of Things security crisis has persisted for decades, producing a seemingly endless stream of under-secured consumer gadgets, corporate phones, printers, networking equipment, medical devices, and critical infrastructure sensors and controllers. By now, every industry has an IoT albatross around its neck. And though new devices are increasingly equipped with basic security protections, those minimum standards are just the beginning.

At the DerbyCon security conference in Louisville, Kentucky last weekend, researchers stressed the need for connected devices to step up security beyond the basics. That means more visibility and logging features, along with better techniques for manufacturers, companies, and consumers alike to spot malicious activity. Protecting a device better doesn’t mean much if you can’t see what’s happening when something does go wrong.

“IoT devices have a pervasive impact on our lives, yet very little thought has been given to how to respond if those devices are misused,” says Lesley Carhart, principal threat hunter at the industrial control security firm Dragos. “Who will investigate devices that have been tampered with and will they be able to investigate?”

Hardware hackers work to understand devices better and hunt for flaws by buying different IoT devices, physically connecting to them with different sensors and tools, and assessing how those systems fit together. This low-level approach works because unlike PCs that broadly only run Windows, Linux, or macOS, IoT devices are built on a virtually infinite hodgepodge of proprietary operating systems and implementations. As a result, it’s difficult to simply develop a single antivirus program or catch-all scanner that can run on large populations of IoT devices. Some researchers have developed so-called “operating system agnostic” sentinels to patrol all different types of embedded devices no matter what’s on them, but those tools aren’t yet widely available.

Deral Heiland, IoT research lead at the security operations firm Rapid7, is applying the hardware-level analysis approach to develop new IoT assessment tools and techniques. Heiland mapped the circuit layouts of two different smart locks to examine “inter-chip” communications on the device motherboards. That means he looked at how data flowed between components like the main device processor, the Wi-Fi processing chip, and the Bluetooth Low Energy chip.

Heiland didn’t disclose any specific vulnerabilities at DerbyCon, but he found a number of weaknesses in how those smart locks handled communication between chips, as well as with the “bridge” components that connect IoT devices to a larger network like the internet. For example, by capturing inter-chip communications, Heiland could determine sensitive information about the authentication keys used to secure the device, like whether they were short enough to potentially be brute-forced, whether the system always required authentication or applied it inconsistently, and whether keys change or are always the same. Heiland hopes to eventually release inter-chip communication analysis tools to help researchers and manufacturers spot bugs early.

At DerbyCon, Heiland sought input from the security community about the specific analysis capabilities he should develop over the coming year. “This is just phase one,” he says. “The ultimate goal of research like this—if I can look at your inter-chip communication—is to help manufacturers do security right.”

Those manufacturers have increasingly taken the admonitions to heart. After more than a decade of hectoring from the security community, for example, medical device manufacturers have recently started making long overdue improvements to implantable devices like pacemakers and insulin pumps.